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the Electronic Data Gathering, Analysis, and Retrieval System 


In September 2017, the U.S. Securities and Exchange Commission (SEC or agency) Office of 
Inspector General (OIG) reported observations about controls over the SEC’s Electronic Data 
Gathering, Analysis, and Retrieval (EDGAR) system enhancements and redesign efforts. 1 We 
noted that the SEC’s EDGAR Redesign (ERD) program is a multi-year, cross-agency initiative 
and, since 2014, the SEC had taken steps to develop and implement a new electronic 
disclosure system that meets agency needs. We made one recommendation to strengthen the 
agency’s ERD program. 2 Since issuing our September 2017 report, we have continued to 
monitor the SEC’s progress toward redesigning the EDGAR system. We have not conducted 
an audit or evaluation in conformance with generally accepted government auditing standards 
or the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for 
Inspection and Evaluation. However, based on the work performed, we are reporting concerns 
that warrant management’s attention. We are also requesting that the SEC pr ovide 
information ab out its plans to redesign the EDGAR system and, in the interim, 

in the existing EDGAR system. This letter contains non-public information about 
the agency’s efforts to redesign the EDGAR system. We redacted the non-public information 
to create this public version. 

Executive Summary 

Since 2015, the U.S. Government Accountability Office (GAO) has reported that the 
management of information technology (IT) acquisitions and operations is a high-risk area 
needing attention by the executive branch and Congress. According to GAO, “Federal IT 


1 U.S. Securities and Exchange Commission, Office of Inspector General, Audit of the SEC’s Progress in 
Enhancing and Redesigning the Electronic Data Gathering, Analysis, and Retrieval System, Report No. 544; 
September 28, 2017. 

2 To improve the effectiveness of the ERD program, we recommended that the agency address constraints 
impacting the timely completion, review, and approval of contractor deliverables, commensurate with the ERD 
program’s strategic significance and importance to the SEC. After verifying completion of corrective action taken, 
on September 27, 2018, we closed the recommendation for reporting purposes. 
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investments too frequently fail or incur cost overruns and schedule slippages while contributing 
little to mission-related outcomes.” 3 Moreover, in an April 2017 report, GAO noted that, in 
reports issued between fiscal years 2010 and 2015, GAO made 803 recommendations to the 
Office of Management and Budget and Federal agencies to address shortcomings in IT 
acquisitions and operations. 4 5 

To maintain visibility into this high-risk area with respect to the SEC, we continued to monitor 
the agency’s progress toward redesigning the EDGAR system, which is at the heart of the 
agency’s mission of protecting investors; maintaining fair, orderly, and efficient markets; and 
facilitating capital formation. In 2014, the SEC formally began efforts to redesign the system 
and, since that time, has taken several steps to develop a new electronic disclosure system, 
including spending about $10.6 million on related contracts. However, we determined that: 


• The agency’s approach to redesigning the EDGAR system is unclear; 

• ERD program cost and schedule estimates presented to agency decision makers and 
senior officials were not based on best practices; and 

• The EDGAR Business Office (EBO) created a Grand Functional Requirements 
Document (Grand FRD) for the redesigned EDGAR system, but did not include 
sufficient detail about the system’s security requirements. 


As we reported in September 2018, the existing ED GAR system continues to operate m 

Over the last two years, the EBO and 

ice of Information Technol ogy (PIT) initiated a multi-phase “EDGAR Security 

This effort is ongoing. 


the SE 
Uplift” 


To help us determine whether further action by the OIG is warranted, we are requesting that 
the SEC clarify and provide to the OIG its approach to redesigning the EDGAR system. We 
are also requesting that the SEC describe planned or ongoing actions to: 


a. manage the ERD program using reliable cost and schedule estimates based on 
established methods and valid data; 


b. integrate “functional requirements” with “non-functional requirements,” including those 
for security, recoverability, testability, and maintainability, with sufficient detail that future 
offerors can propose viable solutions and designs as part of a future competitive 
procurement; and 


c. 


further manage 



in the existing EDGAR system. 


3 U.S. Government Accountability Office, High-Risk Series: Substantial Efforts Needed to Achieve Greater 
Progress on High-Risk Areas, GAO-19-157SP; March 6, 2019. 

4 U.S. Government Accountability Office, INFORMATION TECHNOLOGY Opportunities for Improving 
Acquisitions and Operations, GAO-17-251SP; April 11,2017. 

5 U.S. Securities and Exchange Commission, Office of Inspector General, Evaluation of the EDGAR System’s 
Governance and Incident Handling Processes, Report No. 550; September 21, 2018. 
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Background 

Federal securities laws require public companies to disclose information on an ongoing 
basis, and EDGAR is the database of disclosure documents that public companies are 
required to file with the SEC. EDGAR’S purpose is to increase the efficiency and fairness of 
the securities markets for the benefit of investors, corporations, and the economy by 
accelerating the receipt, acceptance, dissemination, and analysis of time-sensitive corporate 
information filed with the SEC. The SEC implemented the EDGAR system in 1992, although 
development of an “electronic library” began almost a decade earlier. 6 

Although the SEC continues to enhance the EDGAR system to accommodate changes in 
technology and address the increasing complexity and volume of filings submitted to the 
agency, in September 2014, the agency launched a “multi-year initiative to develop the next 
generation electronic disclosure system,” called the ERD program. The intent of the ERD 
program is to create a new, modernized system that will, among other things: 

• meet requirements for real-time system updates, 

• reduce filer burden by providing simplified search and filing options based on filer 
experience, 

• improve data capture by moving to structured formats for various SEC forms that will 
reduce the burden of producing and consuming the data, and 

• limit the long-term costs of operating and maintaining the system. 

To accomplish these goals, the SEC took several steps, including awarding multiple contracts 
at a total cost of about $10.6 million. These contracts have included efforts to (1) review and 
analyze the current disclosure environment (at a cost of about $4.4 million), (2) identify 
EDGAR system stakeholder needs and prepare a request for proposal (at a cost of $122,500), 
and (3) gather functional and non-functional requirements for the new system (at a cost of 
about $6.1 million). In addition, as discussed further below, several organizations within the 
SEC have shared responsibility for redesigning the EDGAR system. 

OIT. OIT supports the Commission and SEC staff in all aspects of IT, including 
application development, infrastructure operations and engineering, IT program management, 
capital planning, security, and enterprise architecture. OIToperatestheEDGARsystemand 
hosts the EDGAR d atabase for free public access, and 

serves as the information system owner. In addition, OIT’s information 
security organization provides engineering expertise to help identify strategies for developing 
and deploying technology in a secure manner. Security personnel also evaluate controls for 


6 According to a May 2016 speech by then SEC Commissioner Kara Stein, the SEC began building an “electronic 
library” in 1984. The agency awarded the first contract to build the EDGAR system, as a source of information for 
investors, in 1989. 
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storing, processing, and transmitting sensitive information, and regularly detect and respond to 
security incidents affecting SEC systems, including EDGAR. 

EBO. The EBO, which includes the EDGAR Program Office, provides direct executive- 
level oversight for the ongoing transformation of specific functions and programs, including 
business ownership of the EDGAR system and the ERD program. The EBO Director serves 
as the business owner for the EDGAR system. The EDGAR Program Office provides 
operational support to the EBO and coordinates between SEC divisions and offices to resolve 
EDGAR-related issues. The EDGAR Program Office also serves as a business partner to OIT 
and represents the business interests of SEC divisions and offices in the EDGAR software 
development lifecycle. 

ERD Oversight Board, Cyber Initiative Working Group, and IT Investment Boards. The 
ERD Oversight Board provides oversight, including input and support for addressing material 
issues or risks, and approves the overall strategic direction of the ERD program. In addition, 
although not a formal committee, in 2017, the agency established a Cyber Initiative Working 
Group composed of senior officials to centralize and enhance decision-making for information 
security agency-wide and to oversee and lead a number of priority cyber initiatives, including 
those related to the EDGAR system. Finally, the SEC’s IT investment boards are responsible 
for selecting, overseeing, and evaluating IT investments within their purview, including those 
related to the ERD program. Such boards include the Information Officers’ Council, which is 
responsible for determining which IT investments best meet the needs of the agency, among 
other things. 

Scope and Methodology 

Between October 2018 and May 2019, we continued to monitor the SEC’s progress toward 
redesigning the EDGAR system. We interviewed SEC officials, including OIT and EBO 
personnel, ERD Oversight Board members, and Cyber Initiative Working Group members. We 
also reviewed presentations, meeting minutes, budget submissions, and functional 
requirements. Although the work performed did not constitute an audit or evaluation in 
conformance with generally accepted government auditing standards or Quality Standards for 
Inspection and Evaluation, the observations noted warrant management’s attention and 
response. 

Results 

Agency’s Approach to Redesigning the EDGAR System Is Unclear. Over time, the SEC’s 
approach to redesigning the EDGAR system has evolved. For example, from the beginning of 
the ERD program in September 2014 until around February 2017, officials described the 
preferred approach as a “complete redesign,” “new greenfield solution,” and “completely clean 
slate,” noting that the ERD program was “not aimed to identify the issues with current EDGAR 
and resolved [sic] them.” Furthermore, in his June 28, 2016, project request before the 
Information Officers’ Council, the former EBO Director stated that the SEC was “embarking on 
the delivery of a new greenfield electronic disclosure environment” and, therefore, would 
require funding to gather and document functional and non-functional requirements. Having 
received the Council’s approval, in September 2016, the SEC awarded to Sapient Government 
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Services, Inc. (Sapient) a contract to gather and document requirements “to build the new 
electronic disclosure solution.” 


Then, around July 2017, ERD officials began describing the focus of the ERD program as 
“limiting the risk of a big-bang approach and identifying specific areas which can be improved 
to address needs of EDGAR [sic] in the short-term with the ability to live beyond the new 
electronic filing solution environment.” In September 2017, the ERD Oversight Board agreed 
that the existing EDGAR system would require significant changes to meet new challenges, 
including security vulnerabilities that resulted in individuals gaining unauthorized access to 
non-public information stored in the system. 7 * Due at least in part to the intense focus on the 
system’s security posture following the intrusion, the ERD Oversight Board began revisiting the 
plan to build an entirely new electronic disclosure solution. During this period, the E BP and 
OIT initiated a multi-phase EDGAR Security This 

effort has includec 



among other things. 


Nevertheless, EBO presentations to the ERD Oversight Board and the Cyber Initiative Working 
Group in September and October 2018 continued to describe the following “Two Approach 
Options” for the ERD program: 


1. Big-Bang: The agency would build a new system separate from the existing EDGAR 
system and both systems would run parallel for a period of time. 

2 . 

enhancements focused on business capabilities. 



It is unclear whether both approaches are still under consideration. In the Chairman’s 
December 11,2018, congressional testimony, he stated that staff continued to explore 
alternatives “including the possibility of implementing a new electronic disclosure solution.” 9 
Yet, with the approval of Phase V of the agency’s ongoing EDGAR Security Uplift on 
March 29, 2019, it would appear that the SEC has effectively selected the Transformative 
approactrSpecificallw Phase V involves 

at an estimated cos^^bout^HH^^^oweve^n^weel^efor^; 
orTOarorH8^OT9Hne agency released its Fiscal Yea^02^budget Request By Program, 
which stated: 


7 In a September 20, 2017, Statement on Cybersecurity, the SEC Chairman publicly disclosed that an incident— 

specifically, a software vulnerability in an EDGAR system component—previously detected in 2016 resulted in 
unauthorized access to non-public information. 


9 SEC Chairman, Jay Clayton, testimony on “Oversight of the U.S. Securities and Exchange Commission” before 
the U.S. Senate Committee on Banking, Housing, and Urban Affairs; December 11, 2018. 
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In [fiscal year] 2020 and beyond, EBO will continue its direct executive-level 
oversight for the EDGAR system to provide greater control, accountability, and 
transparency of the system’s business operations to include the ongoing 
EDGAR Redesign Program for the delivery of a new electronic filing 
environment [emphasis added]. 10 

The EDGAR system is at the heart of the SEC’s mission, and redesigning it is a substantial 
undertaking that involves significant risk and resources. Clarifying the agency’s approach to 
redesigning the system would ensure that internal and external stakeholders are informed and 
responsible officials are able to manage the risk and resources to achieve the agency’s goals 
and objectives. 

ERD Program Cost and Schedule Estimates Presented to Agency Decision Makers and 
Senior Officials Were Not Based On Best Practices. As shown in the table below, between 
June 2015 and September 2018, ERD officials developed various, wide-ranging cost estimates 
and proposed completion dates for the redesign approaches being considered. In June 2015, 
the ERD progra m’s baseline est imate for re quirements development and solutions delivery 
totaled between ^^^^^^and^^^^^Hwithcompletion planned for June 2019. Then, in 
the SEC’s NovemDe^^u^^^^^^^^^^^^^ theagency’s then Chief Information 
Officer reported an EDGAR redesign estimate of about^HH|^| based on benchmarks of 
similar programs. 11 About 7 months later, in June 201 S^stimafes changed again with ERD 
officials reporting that, between 2018 and th e project’s new completion date of 2023, ERD 
program costs would total about Then, in September 2018, after revisiting 

redesianapproaches, ERD official^stlmated the total cost for the Big-Bang approach as 
with an estimatedcompletion date of 2025, and the total cost for the 
uansformative approach as^^^^^H with an estimated completion date of 2023. 12 


10 U.S. Securities and Exchange Commission, Fiscal Year 2020 Congressional Budget Justification and Annual 
Performance Plan; Fiscal Year 2018 Annual Performance Report; March 18, 2019. 


ii 


This estimate has since been removed from the 



12 These two cost estimates were inclusive of both ongoing operations and maintenance costs for the EDGAR 
system, as well as development, modernization and enh ancement costs for the ERD program. According to an 

the estimated project completion dates for the Big-Bang 
approacr^n^Kansformativ^pproacr^er^i^n^our years, respectively, from 2019. 
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Table. Evolution of ERD Program Cost and Schedule Estimates 


Date 

Cost Estimate 

Estimated Completion Date 

June 2015 

Between anc 


June 2019 

November 2017 



Not Specified 

June 2018 



2023 

September 2018 

Big-Bang: 

2025 

Transformative: 

2023 


Source: OIG-generated based on ERD Oversight Board documents and the SEC’s November 2017 


To help the SEC determine an approach, strategy, and funding needs for redesigning the 
EDGAR system, EBO officials presented the September 2018 estimates to agency decision 
makers and senior officials, including the ERD Oversight Board and the Cyber Initiative 
Working Group. When asked about the substance and origin of the estimates, EDGAR’S then 
business owner stated that the estimates were based on a “guess” and not best practices such 
as those established in GAO’s Cost Estimating and Assessment Guide: Best Practices for 
Developing and Managing Capital Program Costs 13 (GAO’s Cost Guide). More recently, on 
February 5, 2019, an ERD official stated that, because “there was no clear definition on scope, 
[they had not] come up with the budget amount yet.” On March 18, 2019, the same ERD 
official confirmed that the EBO was still working on high-level cost and schedule estimates for 
senior management’s consideration. We are unaware of the basis for the cost and schedule 
estimates used to approve Phase V of the EDGAR Security Uplift on March 29, 2019. 

According to GAO’s Cost Guide, the ability to generate reliable cost estimates is a critical 
function, necessary to support capital programming processes. The Cost Guide notes that, 
without this ability, agencies are at risk of experiencing cost overruns, missed deadlines, and 
performance shortfalls, as cost estimates “predict, analyze, and evaluate a program’s cost and 
schedule and serve as a critical program control planning tool.” Because the SEC did not use 
GAO’s cost estimating methodology or other best practices to develop ERD program cost and 
schedule estimates, agency decision makers and senior officials are at risk of relying on 
inaccurate information to make strategic and budgetary decisions, which could negatively 
affect the ERD program as well as other planned agency IT priorities and investments. 

EBO Grand FRD Did Not Contain Sufficient Detail About Security Requirements. As 

previously stated, in September 2016, the SEC awarded to Sapient a contract to gather and 
document functional and non-functional requirements for a new electronic disclosure solution. 
Although the SEC accepted Sapient’s November 2018 Grand FRD for the redesigned EDGAR 
system and related technical documents, the Grand FRD did not include sufficient detail about 
the system’s requirements for security, recoverability, testability, and maintainability, as further 
described below. 


13 U.S. Government Accountability Office, Cost Estimating and Assessment Guide: Best Practices for Developing 
and Managing Capital Program Costs, GAO-09-3SP; March 2, 2009. 
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According to the SEC’s contract with Sapient, the contractor was to document functional and 
non-functional requirements “in enough detail so that the future Offerors could propose viable 
solutions and designs as part of a competitive procurement.” The contract defined “functional 
requirements” as “a thorough and precise articulation of all of the capabilities, functions, 
components and associated processes required to effectively describe a comprehensive 
system.” The contract defined “non-functional requirements” as “characteristics, attributes, or 
constraints of a system” including security, recoverability, testability, and maintainability. 

Between 2016 and 2018, at a cost to the SEC of about $6.1 million, Sapient gathered, 
documented, and vetted requirements for the redesigned EDGAR system during 172 meetings 
with 161 representatives from 12 SEC divisions and offices, including OIT. However, 
contractor personnel met with OIT security personnel only once to gather security-specific 
requirements for the redesigned system. Furthermore, the Grand FRD did not include all of 
the potential requirements discussed during that meeting with OIT security personnel, such as 


On November 7, 2018, Sapient delivered to the SEC (and the SEC accepted) the Grand FRD 
for the redesigned EDGAR system. Sapient provided nine SEC business stakeholders with a 
draft of the Grand FRD and gave them an opportunity to comment on it. However, this vetting 
process did not include the SEC Chief Information Security Officer as a stakeholder. Although 
the Grand FRD included some security requirements, such as access controls and controls 
over identification and authentication of users, the document did not address security 
requirements related to recoverability, testability, and maintainability, including requirements 
for configuration management, contingency planning, and data encryption. 



lough this document included requirements tor configuration management, contingency 
planning, and data encryption, Sapient did not integrate or incorporate these items into the 
Grand FRD. Similar to the process for the Grand FRD, Sapient did not give OIT security 
personnel the opportunity to comment on this document. The document was marked “Review 
waived by SEC, due to the technical nature of the cycle.” 15 


The National Institute of Standards and Technology Special Publication 800-64, Security 
Considerations in the System Development Life Cycle (Revision 2, October 2008), states that 
early planning and awareness will result in cost and timesaving through proper risk 
management planning. Moreover, the Special Publication makes clear that security 
discussions should be performed as part of (not separately from) the development project to 


14 The SEC’s Chief Information Security Officer served on the Cyber Initiative Working Group and received 
periodic updates regarding the ERD program. 


15 Sapient also provided the agency with a separate 



sapient did not integrate or incorporate this document into the Granc 
due to the technical nature of the cycle.” 


imilarly, 
eview waived by SEC, 


REDACTED FOR PUBLIC RELEASE 



REDACTED FOR PUBLIC RELEASE 


Mr. Johnson 
May 23, 2019 
Page 9 




ensure solid understandings among project personnel of business d ecisions and their risk 
)lications to the overall development project. Similarly, the SEC’s 
/stem development lifecycle process, and |~ 

collectively establish that IT security requirements must be integrated into 
all phases of the SEC’s system and services development and acquisition processes. Finally, 
the SEC’s contract with Sapient clearly states that the contractor was to provide non-functional 
requirements for system security, recoverability, testability, and maintainability. 16 Early 
integration of security controls into the ERD program could assist the SEC in early 
identification and mitigation of vulnerabilities, as well as prevent the need for costly 
reconfiguring or customizing of the system later to ensure adequate controls and to meet 
mandatory security requirements. 


Conclusion 


Although the SEC has taken steps and expended considerable funds since 2014 to develop a 
new electronic disclosure system, additional management attention is needed to address our 
observations and help the EBO mitigate recognized IT acquisition and operation risks that can 
lead to cost overruns, unrealistic or missed deadlines, and performance shortfalls. 

On May 7, 2019, we provided SEC management with a draft of our management letter for 
review and comment. In its May 17, 2019, response, management concurred with our overall 
observations and stated that it remains committed to modernizing and improving the security, 
functionality, and maintainability of the EDGAR system. Although management did not use 
cost and schedule estimates based on best practices for its deliberations about the appropriate 
high-level strategy for the EDGAR system, management anticipates preparing more detailed 
estimates, based on best practices, later in the process. Also, although the Grand FRD did not 
describe in detail security requirements for redesigning EDGAR, management anticipates it will 
obtain detailed security requirements in a future phase of the project. Finally, management 
expects that completed and ongoing work will modernize much of the EDGAR system, achieve 
many of the goals of the original EDGAR redesign project, and position the system for further 
modernization. Management’s comments are included as an attachment to this final 
management letter. 

To help us determine whether further action by the OIG is warranted, we request that, no later 
than June 6, 2019, management provide to the OIG the SEC’s approach to redesigning the 
EDGAR system. Please also describe planned or ongoing actions to: 

a. manage the ERD program using reliable cost and schedule estimates based on 
established methods and valid data; 

b. integrate “functional requirements” with “non-functional requirements,” including those 
for security, recoverability, testability, and maintainability, with sufficient detail that future 


16 The contract’s period of performance ended on November 16, 2018, and Sapient’s final invoice was dated 
November 28, 2018. 
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offerors can propose viable solutions and designs as part of a future competitive 
procurement; and 


c. 


further manage 



in the existing EDGAR system 


We appreciate management’s cooperation and look forward to receiving the information 
requested above. If you have questions, please contact Rebecca L. Sharek, Deputy Inspector 
General for Audits, Evaluations, and Special Projects. 


Attachment 


cc: Jay Clayton, Chairman 

Lucas Moskowitz, Chief of Staff, Office of Chairman Clayton 
Sean Memon, Deputy Chief of Staff, Office of Chairman Clayton 
Peter Uhlmann, Managing Executive, Office of Chairman Clayton 
Robert J. Jackson Jr., Commissioner 

Prashant Yerramalli, Counsel, Office of Commissioner Jackson 
Hester M. Peirce, Commissioner 
Jonathan Carr, Counsel, Office of Commissioner Peirce 
Elad Roisman, Commissioner 

Matthew Estabrook, Counsel, Office of Commissioner Roisman 

Gabe Benincasa, Chief Risk Officer 

John J. Nester, Director, Office of Public Affairs 

Robert B. Stebbins, General Counsel 

Bryan Wood, Director, Office of Legislative and Intergovernmental Affairs 
Charles Riddle, Acting Director/Chief Information Officer, Office of Information 
Technology 

Jeffrey Hickman, Acting Director, EDGAR Business Office 
Vance Cathell, Director, Office of Acquisitions 
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UNITED STATES 

SECURITIES AND EXCHANGE COMMISSION 
WASHINGTON, D.C. 20549 


May 17, 2019 

Rebecca L. Sharek, Deputy Inspector General for Audits, Evaluations, and Special Projects 

Office of Inspector General 

U.S. Securities and Exchange Commission 

Washington, D.C 20549 

Dear Ms. Sharek: 


Thank you for the opportunity to respond to the Office of Inspector General's "Draft 
Management Letter: Update on the SEC's Progress Toward Redesigning the Electronic Data 
Gathering, Analysis, and Retrieval System/' dated May 7, 2019. 

The SEC remains committed to modernizing the EDGAR system and improving its 
security, functionality, and maintainability. We greatly value our partnership with 0IG and 
welcome the benefit of your observations and the opportunity to provide additional 
information that may help in understanding the agency's efforts to improve the EDGAR 
system. 

Observation #1: Agency's Approach to Redesigning the EDGAR System Is Unclear 


We concur that the SEC's approach to redesigning the EDGAR system has evolved 
over the past five years. A primary driver behind this evolution was our focus on the 
security of the EDGAR system. In particular, following the discovery in August 2017 of an 
intrusion into the test filing component of the EDGAR system, the agency began work on a 
multi-phase EDGAR security uplift effort. Since that time, the SEC has expended significant 
time and resources to strengthen the security of the EDGAR system, to include 
collaborating witlUhinMjart^vbersecurit^irm^^onducUTmltiple assessments of 
system security implementing 

new security controls; and reducing the sensitivity of the data taken in by the system. The 
first four phases of the EDGA^ecurit^jplif^^er^ompleted in 2017 and 2018, resulti ng 
in enhanced protections for proactive [ 

| additional :id improvements made to the system's | 



I Phase V planning began i n early 2018, and in 
intensive eight-week technical feasibility assessment focused on the| 

| was conducted in the summer of 2018, with final delivery of the 
assessment in September 2018. After considering the feasibility assessment and a 
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preliminary cost estimate to complete that work, agency management asked the vendor 
supporting the EDGAR system to craft a more detailed proposal for Phase V, with specific 
estimated timelines and a more detailed implementation strategy. That proposal was 
reviewed by management and subsequently approved by the Chief Operating Officer on 
March 29, 2019. Work on Phase V is currently proceeding. 

Phase V is designed to dramatically improve the EDGAR system and provide the 
agency with a platform on which to continue to build and enhance functionality for years to 
come. As a result of Phase V, it is expected that the EDGAR system will, among other 
benefits: 

1. Incorporate 


2. Be| 



It is expected that the improvements to EDGAR resulting from Phase V will satisfy 
many of the goals of EDGAR redesign, as set forth at Page 3 of you^ettei^oi^xample. 
once completed in^HH it 

and limit the long-term costs ^^^^Sing and maintaining the EDGA^ysten^A^naseV' 
is proceeding, the SEC is planning and prioritizing additional improvements to EDGAR, 
leveraging the functional requirements gathered to date. 

Observation #2: ERD Program Cost and Schedule Estimates Presented to Agency 

Decision Makers and Senior Officials Were Not Based on Best Practices 

We concur that the EDGAR redesign program cost and schedule estimates discussed 
in your letter were not based on best practices. However, we should note these were 
preliminary estimates, and that we had anticipated preparing more detailed estimates, 
based on best practices, later in the process. Typically, planning for information technology 

2 
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Attachment 


projects contemplates that business functional requirements will be finalized prior to 
preparation of formalized cost and schedule estimates. The estimates that are the subject 
of your letter - referenced in the table on page 6, from June 2015 to September 2018 - 
were for discussion purposes in conjunction with management's deliberations about the 
appropriate high-level strategy for EDGAR. The agency did not receive final functional 
business requirements until Sapient delivered the Grand FRD in November 2018. 

With regard to Phase V, we spent significant time estimating the cost and schedule 
for this project requiring the contractor to provide more detailed estimates as well as 
preparing our own internal estimates. It was upon those more detailed cost and schedule 
estimates that management approved Phase V. You noted that you are unaware of the 
basis of the cost and schedule estimates used to approve Phase V. We would be happy to 
provide you the materials supporting these estimates. 

Observation #3: EBO Grand FRD Did Not Contain Sufficient Detail About Security 

Requirements 

We concur that the Grand FRD did not describe in detail security requirements for a 
redesign of EDGAR. The EDGAR Business Office anticipated that it would obtain detailed 
security requirements in a future phase of the project As noted above, Phases l-V 
prioritized security improvements and the SEC will continue to integrate security 
considerations and requirements into its future planning for the system. 


Conclusion 


The agency's first priority for the EDGAR system is to improve its security. 
Accordingly, we have focused our energies on completing four phases of security 



modernize much of EDGAR, achieve many goals of the original EDGAR redesign project, and 
position the system for further modernization. We would be happy to keep your office 
abreast of our progress in implementing Phase V and in finalizing our strategy for 
additional improvements. 

Thank you for your helpful perspectives and suggestions on this important system, 
and we look forward to continuing to work with you and your staff as the agency continues 
its efforts to improve the EDGAR system. 



Kennem A. Johnson 
Chief Operating Officer 
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